Analysis
-
max time kernel
20s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02/03/2023, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
x.bat
Resource
win7-20230220-en
General
-
Target
x.bat
-
Size
24B
-
MD5
1f4286706c7aaec25953446105db0b2f
-
SHA1
f05cce50773908160a48050774f5ffa9371ffa30
-
SHA256
ca9081c426cb9ef12be73a8a1c2d68c9e3eb9da9981b97b77ab7f4a3b3ab5382
-
SHA512
fe4e2ac84c7a38ea0712728775766778258a02efb2a1eb97ca8e406e4b3995f12727b56ae06a3d7ad139d011671145240379a6fe4e839f8955a3f28a2264fbd1
Malware Config
Extracted
qakbot
404.74
BB17
1677767634
81.157.206.138:2222
50.68.186.195:443
184.176.110.61:61202
71.31.101.183:443
85.231.105.49:2222
62.35.100.38:443
190.141.133.204:443
109.158.144.102:995
82.212.115.116:443
47.21.51.138:995
208.180.17.32:2222
86.130.9.136:2222
184.189.41.80:443
23.242.20.21:443
103.12.133.134:2222
86.225.214.138:2222
12.172.173.82:50001
142.118.243.5:2222
86.208.35.220:2222
47.21.51.138:443
184.174.138.70:2222
84.219.213.130:6881
201.130.119.176:443
47.203.229.168:443
86.152.112.216:2222
12.172.173.82:2087
72.80.7.6:995
35.143.97.145:995
103.252.7.231:443
86.10.146.216:443
50.68.204.71:995
74.58.71.237:443
49.245.82.178:2222
73.36.196.11:443
12.172.173.82:32101
81.229.117.95:2222
109.149.147.104:2222
213.31.90.183:2222
83.114.60.6:2222
212.69.141.168:995
75.156.125.215:995
50.68.204.71:993
190.75.95.164:2222
74.92.243.113:50000
80.47.61.240:2222
85.241.180.94:443
212.70.98.183:2222
88.126.94.4:50000
198.2.51.242:993
86.250.10.160:2222
86.196.12.21:2222
85.59.61.52:2222
122.184.143.82:443
47.196.225.236:443
77.124.9.203:443
105.186.229.134:995
80.3.209.218:443
92.154.45.81:2222
76.80.180.154:995
104.35.24.154:443
86.202.48.142:2222
190.191.35.122:443
87.221.197.34:2222
47.34.30.133:443
45.50.233.214:443
136.35.241.159:443
64.237.212.162:443
93.147.134.85:443
76.64.202.44:2222
70.27.163.177:2222
176.142.207.63:443
209.142.97.83:995
72.88.245.71:443
190.28.86.103:443
65.92.221.105:2222
142.118.23.130:2222
183.87.163.165:443
47.16.69.185:2222
90.104.22.28:2222
86.151.244.117:443
103.169.83.89:443
162.248.14.107:443
50.68.204.71:443
12.172.173.82:995
12.172.173.82:20
173.18.126.3:443
66.191.69.18:995
31.53.29.205:2222
108.190.203.42:995
75.143.236.149:443
174.104.184.149:443
72.203.216.98:2222
197.92.136.122:443
78.192.109.105:2222
174.4.89.3:443
187.199.238.208:32103
73.161.176.218:443
109.11.175.42:2222
66.35.125.42:2222
45.243.201.24:995
87.223.83.119:443
109.218.13.132:2222
172.248.42.122:443
24.239.69.244:443
12.172.173.82:21
84.35.26.14:995
202.142.98.62:995
92.27.86.48:2222
73.165.119.20:443
69.133.162.35:443
151.65.177.218:443
49.37.96.184:2222
116.74.164.176:443
193.253.100.236:2222
75.158.15.211:443
14.192.241.76:995
190.11.198.73:443
123.3.240.16:995
12.172.173.82:990
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1976 rundll32.exe 564 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1976 rundll32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 924 wrote to memory of 1212 924 cmd.exe 28 PID 924 wrote to memory of 1212 924 cmd.exe 28 PID 924 wrote to memory of 1212 924 cmd.exe 28 PID 1212 wrote to memory of 1976 1212 rundll32.exe 29 PID 1212 wrote to memory of 1976 1212 rundll32.exe 29 PID 1212 wrote to memory of 1976 1212 rundll32.exe 29 PID 1212 wrote to memory of 1976 1212 rundll32.exe 29 PID 1212 wrote to memory of 1976 1212 rundll32.exe 29 PID 1212 wrote to memory of 1976 1212 rundll32.exe 29 PID 1212 wrote to memory of 1976 1212 rundll32.exe 29 PID 1976 wrote to memory of 564 1976 rundll32.exe 30 PID 1976 wrote to memory of 564 1976 rundll32.exe 30 PID 1976 wrote to memory of 564 1976 rundll32.exe 30 PID 1976 wrote to memory of 564 1976 rundll32.exe 30 PID 1976 wrote to memory of 564 1976 rundll32.exe 30 PID 1976 wrote to memory of 564 1976 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\x.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\system32\rundll32.exerundll32.exe x.dll,RS322⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe x.dll,RS323⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:564
-
-
-